Assume you were a victim of this devious malware, and decided, "No! I will not pay!"

Imagine that you've done a full cleanup; removed the malware from memory, hard disk and Windows registry; and gone to see what you can recover from your backup disks.

Now imagine that you are having malware cleaner's remorse.

Perhaps paying $300 would have been the pragmatic approach?

→ As we've been saying, our recommendation is not to pay up, but we also have to admit that it's easy for people who haven't had their favourite files scrambled to take that attitude.

Perhaps you had the malware for longer than you realised, and the backups you thought would help are scrambled?

Perhaps your infected computer had access to documents on a server at the office, and ruined other people's files, too?

In short, perhaps you'd like a chance to change your mind?

Enter the CryptoLockerDecryptionService:

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.

Select any encrypted file and click "Upload" button.

The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours.

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.

OR if you already know your order number, you may enter it into the form below.

Apparently the crooks will now let you buy back your key even if you didn't follow their original instructions.

Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind

The cost of is now 10 Bitcoins instead of the 2 Bitcoins they were after at the start - a sort of late payment penalty, like the taxation office imposes.

According to this latest website, you send them the first 1024 bytes of any encrypted file in order to determine your eligibilty for the new "service," and then wait up to 24 hours.

We're guessing that the delay is because the crooks have to run a brute force attack against themselves.

Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypting your data with every stored private key until they hit one that produces a plausible result.

They're not actually saying whether this new service works even if the 72 hour deadline imposed at the start has expired.

The implication, however, is that it will - not least because the 24-hour delay needed to process your "order" would otherwise reduce that deadline to 48 hours, cutting down their window for extortion substantially.

Furthermore, those 48 hours would have to include the time for you to clean up, find that you couldn't recover by more palatable means than the initial threat, change your mind, and contact the "second chance" website.

If so, the crooks' original claim was bogus all along:

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

Nobody and never, eh?

We're still saying, "Don't buy," but we're feeling your pain enough to know how tempting it will be for some people to pay the crooks, even though the blackmail charges have now ballooned to more than $2000.

In the meantime, if you've decided not to pay - or have escaped the depredations of these crooks so far - we urge you to check out our advice:

I have some interesting feedback from a CryptoLocker malware affected
hungarian sysadmin.

[edited for brevity]

The malware did not seek out and encrypt or overwrite these nominally deleted file chunks [Microsoft Office autosave files], so the sysadmin managed to regain about 90% of all affected Excel and Word docs.

The recovery process took the lenght of the entire night and the orignal
filenames were lost. However, the file sizes of plain-text and malware-encrypted documents differ only very little, so it is usually possible to match them based on filesize info and thus find out the original file name.

Given that they do seem to be keeping every private key they have ever used surely there must be some white hat (ish) hacker who could break into their systems and steal that database and make it available to everyone.

Hundreds of billions spent for software to spy on its own people. Ibid, to spy on other countries' citizens. But a scant few millions catch cyber terrorists. How do you catch a crook?

FOLLOW THE MONEY.

Instead, we'll get excuses on how it's illegal for the government to pry into these financial affairs of our citizens and the world at large. Getting tired of the attitude that getting tough on IT terrorists may harm the huge security market and all the jobs it provides.

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog